use srvos for better defaults on linde/marvin

author: Alan Pearce 2025-02-02 20:39:53 +0100
committer: Alan Pearce 2025-02-02 20:39:53 +0100
commit: 6f752c78607cf2043e0bd2ce4219510bc7965276 (patch)
tree: 46ab2157917e70a37b00b8f441eb133d8cd99fdd /system
parent: bbc69d9fbfead8f20c48d76dec98cce143ad9602 (diff)
download: nixfiles-6f752c78607cf2043e0bd2ce4219510bc7965276.tar.lz
nixfiles-6f752c78607cf2043e0bd2ce4219510bc7965276.tar.zst
nixfiles-6f752c78607cf2043e0bd2ce4219510bc7965276.zip
6 files changed, 29 insertions, 108 deletions
diff --git a/system/linde.nix b/system/linde.nix
index 20d71e55..e82236d0 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -6,14 +6,14 @@
 
 with lib;
 let
-  netif = "enp1s0";
+  netif = "eth0";
   hostname = "linde";
   net-ip4 = "116.203.248.56";
-  net-mask4 = "32";
+  net-mask4 = 32;
   net-gw = "172.31.1.1";
   net-ip6 = "2a01:4f8:c012:23a4::1";
   net-redisip = "2a01:4f8:c012:23a4::6379";
-  net-mask6 = "64";
+  net-mask6 = 64;
   net-gw6 = "fe80::1";
   domain = "alanpearce.eu";
   ts-domain = "hydra-pinecone.ts.net";
@@ -56,9 +56,6 @@ in
     };
   };
 
-  # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
   boot.loader.efi.efiSysMountPoint = "/boot/efi";
 
   time.timeZone = "Europe/Berlin";
@@ -85,8 +82,6 @@ in
     enable = true;
     settings = {
       PermitRootLogin = "without-password";
-      PasswordAuthentication = false;
-      KbdInteractiveAuthentication = false;
     };
   };
   services.sshguard = {
@@ -134,6 +129,7 @@ in
     secretKeyFile = config.age.secrets.binarycache.path;
   };
 
+  programs.vim.defaultEditor = false;
   programs.neovim = {
     enable = true;
     defaultEditor = true;
@@ -144,7 +140,6 @@ in
   networking = {
     hostName = hostname;
     inherit domain;
-    useDHCP = false;
     dhcpcd.enable = false;
     nameservers = [
       "2606:4700:4700::1111"
@@ -157,6 +152,30 @@ in
       ${net-ip6} = [ "${hostname}.${domain}" hostname ];
       ${net-redisip} = [ "redis" ];
     };
+    defaultGateway = {
+      address = net-gw;
+      interface = netif;
+    };
+    defaultGateway6 = {
+      address = net-gw6;
+      interface = netif;
+    };
+    interfaces.${netif} = {
+      ipv4 = {
+        addresses = [
+          { address = net-ip4; prefixLength = net-mask4; }
+        ];
+        routes = [
+          { address = net-gw; prefixLength = 32; }
+        ];
+      };
+      ipv6 = {
+        addresses = [
+          { address = net-ip6; prefixLength = net-mask6; }
+          { address = net-redisip; prefixLength = net-mask6; }
+        ];
+      };
+    };
     firewall = {
       enable = true;
       allowPing = true;
@@ -188,44 +207,12 @@ in
       useLocalResolver = false;
     };
   };
+  services.cloud-init.network.enable = false;
   services.resolved = {
     enable = true;
     llmnr = "false";
     dnssec = "true";
   };
-  systemd.network = {
-    enable = true;
-    networks.${netif} =
-      {
-        name = netif;
-        routes = [
-          {
-            Gateway = net-gw6;
-            PreferredSource = net-ip6;
-            QuickAck = true;
-            InitialCongestionWindow = 30;
-            InitialAdvertisedReceiveWindow = 30;
-          }
-          {
-            Gateway = net-gw;
-            QuickAck = true;
-            InitialCongestionWindow = 30;
-            InitialAdvertisedReceiveWindow = 30;
-          }
-        ];
-        address = [
-          "${net-ip6}/${net-mask6}"
-          "${net-redisip}/${net-mask6}"
-        ];
-        addresses = [{
-          Address = "${net-ip4}/${net-mask4}";
-          Peer = "${net-gw}/32";
-        }];
-      };
-    wait-online = {
-      extraArgs = [ "--interface=${netif}" ];
-    };
-  };
 
   services.tailscale = {
     enable = true;
@@ -283,7 +270,6 @@ in
       "net.ipv4.tcp_slow_start_after_idle" = false;
     };
 
-  security.sudo.execWheelOnly = true;
   security.sudo.extraConfig = ''
     Defaults:root,%wheel env_keep+=EDITOR
   '';
diff --git a/system/marvin.nix b/system/marvin.nix
index ed79c8f2..21f085db 100644
--- a/system/marvin.nix
+++ b/system/marvin.nix
@@ -39,7 +39,6 @@
   nix.settings = {
     max-jobs = 8;
     cores = 4;
-    auto-optimise-store = false; # https://github.com/NixOS/nix/issues/7273
   };
 
   nix = {
diff --git a/system/settings/configuration/nix-linux.nix b/system/settings/configuration/nix-linux.nix
index e11b0389..1c26bc7e 100644
--- a/system/settings/configuration/nix-linux.nix
+++ b/system/settings/configuration/nix-linux.nix
@@ -1,5 +1,4 @@
 { config
-, lib
 , pkgs
 , ...
 }: {
@@ -11,20 +10,11 @@
     settings = {
       auto-optimise-store = true;
     };
-    daemonCPUSchedPolicy = "idle";
-    daemonIOSchedClass = "idle";
   };
 
   nixpkgs.config.allowUnfree = true;
 
   system.autoUpgrade = {
     enable = true;
-    flags = [ "--max-jobs" "2" ];
-  };
-  systemd.services.nixos-upgrade = {
-    script = pkgs.lib.mkForce ''
-      ${pkgs.nix}/bin/nix-channel --update
-      ${config.system.build.nixos-rebuild}/bin/nixos-rebuild boot --no-build-output ${toString config.system.autoUpgrade.flags}
-    '';
   };
 }
diff --git a/system/settings/configuration/nix.nix b/system/settings/configuration/nix.nix
index b0459b16..481c3911 100644
--- a/system/settings/configuration/nix.nix
+++ b/system/settings/configuration/nix.nix
@@ -9,7 +9,6 @@
       use-xdg-base-directories = true;
       keep-outputs = true;
       keep-derivations = true;
-      experimental-features = "nix-command flakes";
       warn-dirty = false;
       substituters = [
         "https://nix-community.cachix.org"
@@ -38,7 +37,6 @@
           type = "path";
           path = pkgs.path;
         };
-
       };
   };
 }
diff --git a/system/settings/darwin.nix b/system/settings/darwin.nix
index 0f507a31..9841c06c 100644
--- a/system/settings/darwin.nix
+++ b/system/settings/darwin.nix
@@ -16,9 +16,7 @@
     [ "/run/current-system/sw" "/nix/var/nix/profiles/default" ]
   ];
 
-  environment.darwinConfig = "$HOME/.config/nixpkgs/darwin-configuration.nix";
   nix = {
-    daemonIOLowPriority = true;
     settings.extra-platforms = "aarch64-darwin x86_64-darwin";
 
     settings.trusted-users = [ "@admin" ];
@@ -28,11 +26,6 @@
     allowUnfree = true;
   };
 
-  # needed so that nix-darwin can activate the system as root
-  security.sudo.extraConfig = ''
-    Defaults	env_keep += "NIX_PATH"
-  '';
-
   services.lorri.enable = true;
   launchd.user.agents.lorri = {
     serviceConfig = {
diff --git a/system/settings/services/git-server.nix b/system/settings/services/git-server.nix
index 512067ce..df3c0ea2 100644
--- a/system/settings/services/git-server.nix
+++ b/system/settings/services/git-server.nix
@@ -224,51 +224,6 @@ in
       };
   };
 
-  programs.ssh = with pkgs; {
-    knownHostsFiles = [
-      (writeText "github.keys" ''
-        # github.com:22 SSH-2.0-babeld-05989c77
-        # github.com:22 SSH-2.0-babeld-05989c77
-        # github.com:22 SSH-2.0-babeld-05989c77
-        # github.com:22 SSH-2.0-babeld-05989c77
-        # github.com:22 SSH-2.0-babeld-05989c77
-        github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
-        github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
-        github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
-      '')
-      (writeText "gitlab.keys" ''
-        # gitlab.com:22 SSH-2.0-GitLab-SSHD
-        # gitlab.com:22 SSH-2.0-GitLab-SSHD
-        # gitlab.com:22 SSH-2.0-GitLab-SSHD
-        # gitlab.com:22 SSH-2.0-GitLab-SSHD
-        # gitlab.com:22 SSH-2.0-GitLab-SSHD
-        gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
-        gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
-        gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
-      '')
-      (writeText "codeberg.keys" ''
-        # codeberg.org:22 SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
-        # codeberg.org:22 SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
-        # codeberg.org:22 SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
-        # codeberg.org:22 SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
-        # codeberg.org:22 SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
-        codeberg.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8hZi7K1/2E2uBX8gwPRJAHvRAob+3Sn+y2hxiEhN0buv1igjYFTgFO2qQD8vLfU/HT/P/rqvEeTvaDfY1y/vcvQ8+YuUYyTwE2UaVU5aJv89y6PEZBYycaJCPdGIfZlLMmjilh/Sk8IWSEK6dQr+g686lu5cSWrFW60ixWpHpEVB26eRWin3lKYWSQGMwwKv4LwmW3ouqqs4Z4vsqRFqXJ/eCi3yhpT+nOjljXvZKiYTpYajqUC48IHAxTWugrKe1vXWOPxVXXMQEPsaIRc2hpK+v1LmfB7GnEGvF1UAKnEZbUuiD9PBEeD5a1MZQIzcoPWCrTxipEpuXQ5Tni4mN
-        codeberg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL2pDxWr18SoiDJCGZ5LmxPygTlPu+cCKSkpqkvCyQzl5xmIMeKNdfdBpfbCGDPoZQghePzFZkKJNR/v9Win3Sc=
-        codeberg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIVIC02vnjFyL+I4RHfvIGNtOgJMe769VTF1VR4EB3ZB
-      '')
-      (writeText "sr.ht.keys" ''
-        # git.sr.ht:22 SSH-2.0-OpenSSH_9.6
-        # git.sr.ht:22 SSH-2.0-OpenSSH_9.6
-        # git.sr.ht:22 SSH-2.0-OpenSSH_9.6
-        # git.sr.ht:22 SSH-2.0-OpenSSH_9.6
-        # git.sr.ht:22 SSH-2.0-OpenSSH_9.6
-        git.sr.ht ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ+l/lvYmaeOAPeijHL8d4794Am0MOvmXPyvHTtrqvgmvCJB8pen/qkQX2S1fgl9VkMGSNxbp7NF7HmKgs5ajTGV9mB5A5zq+161lcp5+f1qmn3Dp1MWKp/AzejWXKW+dwPBd3kkudDBA1fa3uK6g1gK5nLw3qcuv/V4emX9zv3P2ZNlq9XRvBxGY2KzaCyCXVkL48RVTTJJnYbVdRuq8/jQkDRA8lHvGvKI+jqnljmZi2aIrK9OGT2gkCtfyTw2GvNDV6aZ0bEza7nDLU/I+xmByAOO79R1Uk4EYCvSc1WXDZqhiuO2sZRmVxa0pQSBDn1DB3rpvqPYW+UvKB3SOz
-        git.sr.ht ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCj6y+cJlqK3BHZRLZuM+KP2zGPrh4H66DacfliU1E2DHAd1GGwF4g1jwu3L8gOZUTIvUptqWTkmglpYhFp4Iy4=
-        git.sr.ht ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60
-      '')
-    ];
-  };
-
   systemd.services = concatMapAttrs createMirrorService mirrors;
   systemd.paths = concatMapAttrs createMirrorPath mirrors;
   systemd.targets.git-mirroring = {
author	Alan Pearce	2025-02-02 20:39:53 +0100
committer	Alan Pearce	2025-02-02 20:39:53 +0100
commit	6f752c78607cf2043e0bd2ce4219510bc7965276 (patch)
tree	46ab2157917e70a37b00b8f441eb133d8cd99fdd /system
parent	bbc69d9fbfead8f20c48d76dec98cce143ad9602 (diff)
download	nixfiles-6f752c78607cf2043e0bd2ce4219510bc7965276.tar.lz nixfiles-6f752c78607cf2043e0bd2ce4219510bc7965276.tar.zst nixfiles-6f752c78607cf2043e0bd2ce4219510bc7965276.zip